/*
    certs.me -- Test certificate generation

    This file provides targets to generate SSL test certificates using OpenSSL.
    WARNING: All these certificates are for internal use only.

    To generate a certificate request to send to a certificate authority like Verisign, do:
    This will create a certificate request file in "server.csr" and a private key in "server.key"

        me cert-request

    To use appweb with HTTP, you need a server certificate.
    This command will generate a self-signed test certificate called "self.crt" with a private key "self.key".

        me self-signed-cert

    To create a CA and then a server cert based on this CA.
    This command will generate a CA certificate in ca.crt with a CA private key in ca.key. The last minted certificate
    serial number is in ca.srl.

        me ca-cert

    To generate a certificate signed by the test CA.
    This will generate a certificate in "test.crt" with a private key in "test.key".

        me test-cert

    To generate an Elliptic Curve certificate signed by the test CA.
    This will generate a certificate in "ec.crt" with a private key in "ec.key".

        me ec-cert

    For all cert targets:

        me generate-certs
 */

Me.load({
    settings: {
        certs: {
            days: 3650,
            bits: 2048,
            gendh: false,
        }
    },
    mixin: `
        function ossl(command, input) {
            trace('Run', 'openssl ' + command)
            let cmd = Cmd()
            cmd.env = {}
            let result = cmd.start('openssl ' + command, {detach: true})
            if (input) {
                cmd.write(Path(input).readString())
            }
            cmd.finalize()
            cmd.wait()
            if (cmd.status != 0) {
                throw new IOError('Command failed, status ' + cmd.status + '\n' + cmd.error)
            }
            return cmd.response
        }
    `,
    targets: {
        'install-certs': {
            type: 'file',
            path: '${TOP}/certs',
            files: [ 'samples/*.crt', 'samples/*.key' ],
        },

        'generate-certs': {
            depends: [ 'ca-cert', 'self-signed-cert', 'test-cert', 'ec-cert' ],
        },

        'generate-samples': {
            depends: [ 'generate-certs', 'get-roots' ]
            action: `
                for each (f in Path('samples').files('**')) {
                    trace('Generate', f)
                    f.remove()
                    Path(f.basename).rename(f)
                }
                rm(['*.old', '*.csr', 'ca.db', 'ca.db.attr', '*.pem'])
            `
        },

        'get-roots': {
            action: `
                let http = Http()
                http.verify = false
                // http.get('https://pki.google.com/roots.pem')
                http.get('https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt')
                let dest = Path('roots.crt')
                trace('Create', dest)
                dest.write(http.response)
            `
        },

        /*
            WARNING: Self-signed server certificate for testing ONLY.
            Use a self-signed certificate when you just want quick and dirty testing.
            The browser will say it doesn't recognize this certificate, but that is ok for testing only.
            Creates a private key in self.key.

            See: http://www.sslshopper.com/article-most-common-openssl-commands.html
         */
        'self-signed-cert': {
            message: 'Make: Self-signed Certificate: self.crt',
            action: `
                ossl('genrsa -out self.key ${settings.certs.bits}')
                ossl('req -new -x509 -days ${settings.certs.days} -key self.key -out self.crt', 'self.ans')
            `,
        },

        /*
             Setup a test certificate authority. Use this if you will be generating multiple certificates for clients and
             servers.  NOTE: this is only for test. The certificate authority is not a real entity!
         */
        'ca-cert': {
            message: 'Make: CA Certificate: ca.crt',
            action: `
                ossl('genrsa -out ca.key ${settings.certs.bits}')
                ossl('req -config openssl.conf -new -x509 -days ${settings.certs.days} -key ca.key -out ca.crt -extensions caExtensions')
                Path('ca.srl').write('9999991000\n')
                Path('ca.db').write('')
            `,
        },

        /*
            Test cert signed by the test CA above. This is used for test as the server cert and on the client side
            when validating client certs.
         */
        'test-cert': {
            message: 'Make: Test Certificate: test.crt',
            action: `
                ossl('genrsa -out test.key ${settings.certs.bits}')
                ossl('req -new -key test.key -out test.csr', 'test.ans')
                ossl('ca -batch -config openssl.conf -notext -in test.csr -out test.crt -extensions server')
            `,
        },

        'ec-cert': {
            message: 'Make: EC Test Certificate: ec.crt',
            action: `
                //  -name secp256r1
                ossl('ecparam -genkey -name prime256v1 -out ec.key')
                ossl('req -new -key ec.key -out ec.csr', 'ec.ans')
                ossl('req -x509 -days 365 -key ec.key -in ec.csr -out ec.crt')
            `
        },

        'dhparams': {
            message: 'Generate: Local DH parameters for OpenSSL ... may take a few minutes',
            action: `
                Path.join('dh.c').write(Cmd.run('openssl dhparam -C ${settings.certs.bits} -out dh.pem') + '\n')
            `
        },

        /*
            Generate a certificate request to send to a certificate authority like Verisign
            Generates a server key in "server.key"
         */
        'cert-request': {
            action: `
                ossl('genrsa -out server.key ${settings.certs.bits}')
                ossl('req -new -key server.key -out server.csr', 'test.ans')
            `,
        },

        'show-certs': {
            action: `
                print(ossl('x509 -in ca.crt -noout -text'))
                print(ossl('x509 -in test.crt -noout -text'))
                print(ossl('x509 -in self.crt -noout -text'))
                print(ossl('x509 -in ec.crt -noout -text'))
            `
        }
    }
})
